Display XML Menu Items Based On User
page 2 of 7
by Andrew Mooney
Average Rating: 
Views (Total / Last 10 Days): 34034/ 60


You can use Windows or Forms authentication with this method. However, the code listings included in this article will be using Forms authentication. The first step is to setup security for the application.

Listing 1 demonstrates how to set up Forms Authentication for the web site's root directory. In this application everyone can access the pages in the root directory and the security for sub directories is accomplished by using a separate Web.config file inside each directory. How to secure sub directories will be discussed later in this article.

Set the authentication mode equal to Forms. Set the forms name equal to "MenuAuth." This is the name of the cookie used for forms authentication. Then under credential, set the password format to SHA1. Later I will demonstrate how to hash the passwords to store them in the web.config file. Then for each user you set the user name and hashed password. And then under authorization, allow all users by using the asterisk (*). This example stores user names and passwords in the web.config file, but you could also use a database to store this information. You may want use a database if you have a lot of user names to store.

To use the code from this article you will need to create a new web application. Start by copying the code from Listing 1 into your favorite text editor and save it in the application's root directory. There are two users in the web.config, user1 and user2. The passwords are the same as the user names.

Listing 1 - This is the Web.config file in the web site's root directory

<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <authentication mode="Forms">
      <forms name="MenuAuth">
        <credentials passwordFormat="SHA1">
          <user name="User1" 
          <user name="User2" 
      <allow users="*"/>
    <compilation debug="false"/>

Listing 2 shows the login page for the web site. The web form has an input for user name and input for password, two validators to make these required fields, a label for displaying messages to the user, and a login button. When the user clicks the login button, if both the inputs are filled in, an attempt is made to authenticate the user name and password. If authentication is successful, the user is redirected to the page they were requesting. If authentication fails, the user receives a message that the user name and password they entered are invalid and they are asked to try again. Create the Login.aspx in the application's root directory.

Listing 2 - This is the Login.aspx page

<%@ Page Language="C#" MasterPageFile="~/MasterPage.master" 
Title="Menu" Theme="Default" %>
<script runat="server">
void Login_Click(Object sender, EventArgs E)
  if (FormsAuthentication.Authenticate(UserName.Value.Trim(), 
    FormsAuthentication.RedirectFromLoginPage(UserName.Value.Trim(), false);
    Msg.Text = "Invalid Credentials: Please try again";
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" 
  <h3>Login Page</h3>
    <td>User Name:</td>
    <td><input id="UserName" type="text" runat=server/></td>
    <td><asp:RequiredieldValidator ID="RequiredFieldValidator1" 
        ControlToValidate="UserName" Display="Static" ErrorMessage="*" 
    <td><input id="UserPass" type=password runat=server/></td>
    <td><asp:RequiredFieldValidator ID="RequiredFieldValidator2" 
        ControlToValidate="UserPass" Display="Static" ErrorMessage="F*" 
<asp:button ID="Button1" text="Login" OnClick="Login_Click" runat=server/>
<asp:Label id="Msg" ForeColor="red" Font-Size="10" runat=server />

Hash Password

The passwords must be hashed before you can store them in the web.config file or a database. Listing 3 is a web page that will let you enter a password; click the hash password button and the hashed version of your password is displayed in a label. It is then ready to be copied and stored in the configuration file. The hasing is accomplished by using the FormsAuthentication HashPasswordForStoringInConfigFile event. One note of caution you must use the same format in this hashing web page that you have in the web.config file or the passwords will not authenticate. You can create this file in the application's root directory, but there would be no need to publish this to a live web site.

Listing 3 - This is the web page that will allow you to hash passwords (Hash.aspx)

<%@ Page Language="C#" MasterPageFile="~/MasterPage.master" Title="Hash" 
Theme="Default" %>
<script runat="server">
protected void Button1_Click(object sender, EventArgs e)
  Label1.Text = 
  FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox1.Text, "sha1");
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" 
  <asp:TextBox ID="TextBox1" runat="server" Width="200px"></asp:TextBox>
  <asp:Button ID="Button1" runat="server" Text="Hash Password" 
  OnClick="Button1_Click" Width="100px" />
  <asp:Label ID="Label1" runat="server"></asp:Label>

View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-04-22 11:33:11 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search